Linux【13】-日志管理-linux下ssh登陆日志文件secure分析

今天因为某些原因需要查看下ssh登录日志。。打开日志文件一瞅发现有点乱,各种记录掺杂在一起,不是很方便排查。这里分别记录下不同情况下日志的记录格式。方便使用其他一些命令来分析排查。

linux下ssh登录日志文件位置:

/var/log/secure

1、每行信息各字段含义:

月份 日期 时分秒 服务器主机名 程序(sshd或则su) 模块 详细信息

2、正常通过ssh连接进服务器的日志

Aug  8 02:20:09 imzcy sshd[18936]: Accepted password for root from 192.168.217.10 port 57516 ssh2
Aug  8 02:20:09 imzcy sshd[18936]: pam_unix(sshd:session): session opened for user root by (uid=0)

3、正常登陆后,退出日志

Aug 8 02:01:38 imzcy sshd[18252]: pam_unix(sshd:session): session closed for user root

4、切换到其他用户日志

Aug  8 02:20:54 imzcy su: pam_unix(su-l:session): session opened for user zcy by root(uid=0)
Aug  8 02:21:06 imzcy su: pam_unix(su-l:session): session closed for user zcy

5、使用root用户登录进系统户,切换到zcy用户,直接从zcy用户关掉连接窗口。

Aug  8 02:38:11 imzcy sshd[19167]: Accepted password for root from 192.168.217.10 port 58165 ssh2
Aug  8 02:38:11 imzcy sshd[19167]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug  8 02:38:13 imzcy su: pam_unix(su-l:session): session opened for user zcy by root(uid=0)
Aug  8 02:38:27 imzcy su: pam_unix(su-l:session): session closed for user zcy
Aug  8 02:38:27 imzcy sshd[19167]: pam_unix(sshd:session): session closed for user root

6、连接到服务器,提示输入密码时取消了

Aug  8 02:31:03 imzcy sshd[19046]: Received disconnect from 192.168.217.10: 13: The user canceled authentication.

7、密码输入错误

Aug  8 02:33:28 imzcy sshd[19125]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10  user=root
Aug  8 02:33:31 imzcy sshd[19125]: Failed password for root from 192.168.217.10 port 57994 ssh2

8、密码错误次数太多

Aug  8 02:33:28 imzcy sshd[19125]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10  user=root
Aug  8 02:33:31 imzcy sshd[19125]: Failed password for root from 192.168.217.10 port 57994 ssh2
Aug  8 02:34:06 imzcy last message repeated 3 times
Aug  8 02:34:13 imzcy last message repeated 2 times
Aug  8 02:34:47 imzcy sshd[19126]: Disconnecting: Too many authentication failures for root
Aug  8 02:34:47 imzcy sshd[19125]: Failed password for root from 192.168.217.10 port 57994 ssh2
Aug  8 02:34:47 imzcy sshd[19125]: PAM 6 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.217.10  user=root
Aug  8 02:34:47 imzcy sshd[19125]: PAM service(sshd) ignoring max retries; 7 > 3

参考资料

个人公众号,比较懒,很少更新,可以在上面提问题,如果回复不及时,可发邮件给我: tiehan@sina.cn

Sam avatar
About Sam
专注生物信息 专注转化医学